Transitioning GPO to MDM Policies

Transitioning from traditional Group Policy Objects (GPO) to Modern Device Management (MDM) Policies can be challenging.  Some organizations have Group Policies that have been in place for over a decade and which may not be fully inventoried, or often understood. 

MDM do not have a 1-1 mapping for all legacy Group Policies. 

Microsoft created the MDM Migration Analysis Tool – aka MMAT – to help.
MMAT will determine which Group Policies have been set for a target user/computer and cross-reference against its built-in list of supported MDM policies. MMAT will then generate both XML and HTML reports indicating the level of support for each Group Policy in terms of MDM equivalents.

You can find the MDM Migration Analysis Tool here

According to a very good and detailed 2018 Microsoft blog post, the following describes which policy wins according to Windows 10 version.

  • Windows 10 versions 1709 and earlier Group Policy will override MDM policies, even if an identical policy is configured in MDM.
  • Windows 10 version 1803 and beyond there is a new Policy CSP setting called ControlPolicyConflict that includes the policy of MDMWinsOverGP, where the preference of which policy wins can be controlled, i.e. Microsoft Intune MDM policy.
  • What happens to the policy if the device is unenrolled from Intune?  If applicable, Group Policy will re-apply the policies in this scenario.

For more details about the new ControlPolicyConfict settings found here

Other sources:

Similar Posts